Hi, I believe i have gotten a pretty bad virus. I was downloading a program that supposedly monitored my router bandwith but turned out to be a virus. My antivirus (kis9) didn't say anything was wrong. But procceses named a.exe, b.exe, c.exe and msa.exe were in my task manger. I tracked these files down and found them in my temp directory. i didn't need anything in my temp directory so i deleted all of its contents in case anything else reuired by the virus was in there. I new the virus wouldn't be gone. I went on the internet and googled the exes however any google links i clicked redirected me to random websites or dodgy search engines. I tried clicking the links several times and they eventually worked on about the third go. The forums explained about using AVZ and stuff and the users that were asking the questions uploaded reports and their problems were fixed from there. As an experiment I restarted my pc to see if the procceses would start again. They didn't.... AND KASPERSKY WASN'T RUNNING! I tryed to start it maually but i received the message: "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to acces the item." I got seriously worried. I downloaded a program called "superantispyware" because i read on a forum it was good. I ran two scans and it picked up some viruses and deleted them. (i can email their reports on request). AVP.exe still didn't work So i unistalled kis 2009 and installed a trial of kis10. It ran (before i restarted again). I ran a scan with it and it also picked up 2 viruses and removed them (some of the files from C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report can be emailed or uploaded on request). Then i restarted again. avp.exe didn't work. Get the idea? the virus is blocking any antivirus applications. so i download avz because it helped the other people and ran a scan it got part of the way through and then crashed (leaving an avz.gid file that i can email or upload on request). I tryed to start it again and it came up with the same error message. As Kaspersky 10 and kaspersky 09 after they had been shut down. What should i do? I can reinstall kis10 again and it will run until i restart as for avz.exe i can do the same. Might renaming the exes help? Thanks in advance

It sounds like Police Pro, if it is it will take several different task to remove it. We will use a different method that AVP although it is a great tool. Please save this file to your desktop. Win32kDiag.exe Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Running from: C:\Documents and Settings\Owner\My Documents\Downloads\Firefox\Win-32-k-Diag.exe Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19.tmp\ZAP19.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP68.tmp\ZAP68.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\UnManaged\S-1-5-21-796845957-651377827-515967899-1003\S-1-5-21-796845957-651377827-515967899-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\{6030FDAF-C39D-4BEE-991F-2F95BF54F66D}\{6030FDAF-C39D-4BEE-991F-2F95BF54F66D} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\{F6BD194C-4190-4D73-B1B1-C48C99921BFE} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^

This may save a step or two. Go to start> run> type in cmd click ok. Copy paste this comand at the blinking cursor the click enter, you may have to type it in manually if you type it in manually not the spaces after these: DIR /a/s each .dll Log.txt & START DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt A file called log.txt should be created on your Desktop. Open that file and copy/paste the contents in your next reply.

Volume in drive C has no label. Volume Serial Number is F0DD-5EF4 Directory of C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\SP2QFE 06/02/2009 18:46 408,064 netlogon.dll 1 File(s) 408,064 bytes Directory of C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\SP2QFE 06/02/2009 18:46 408,064 netlogon.dll 1 File(s) 408,064 bytes Directory of C:\WINDOWS\system32 14/04/2008 12:00 181,248 scecli.dll Directory of C:\WINDOWS\system32 19/07/2009 16:01 407,552 netlogon.dll 2 File(s) 588,800 bytes Total Files Listed: 4 File(s) 1,404,928 bytes 0 Dir(s) 79,419,805,696 bytes free

Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" . **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

This same thing happened to me today, only I wasn't downloading anything. I got assaulted by a website. I can't access any antivirus websites and I had the a, b, c, and d files in my temporary folder. I also have a ton (as in ten or so) processes running which are questionable; lsass.exe, rundll32.exe, smss.exe, crss.exe, FastNetSrv.exe, CSHelper.exe and more. I have no idea what to do for such an invasive bunch of malware.